Heads-up: Upcoming patch for a high-severity OpenSSL defect


Forthcoming OpenSSL releases

The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 1.0.2f, 1.0.1r.

These releases will be made available on 28th January between approx.
1pm and 5pm (UTC). They will fix two security defects, one of “high”
severity affecting 1.0.2 releases, and one “low” severity affecting all



Another SSL Bug

Heart_Bleed_Patch_3_by_Merlin2525Rick Moen
<r***@linuxmafia.com> Fri, Jun 6, 2014 at 2:38 AM
To: svlug@*****.svlug.org

Remember back in April, when a large portion of the Internet was suddenly exposed to a grave bug (‘Heartbleed’) in the OpenSSL crypto libraries? Back then, it turned out upon examination that most systems using OpenSSL ducked the bullet because only the very most recent OpenSSL releases (1.0.1 through 1.0.1f) included the buggy and mostly pointless feature.

Well, it’s a new day, and an… old bug has been discovered. That is,
a very grave coding error (CVE-2014-0224) has been discovered that’s
been present in -every- release of OpenSSL since the very beginning –
all 16 years of releases.

Thursday, a coder named Masashi Kikuchi was working on a project to
write his own SSL/TLS code, and one of the uncertain parts was a
protocol spec called ChangeCipherSpec (CCS), whereby an SSL or TLS client and server can, at specified times and carefully controlled ways, negotiate change from one cipher suite to another.

So, Masashi studied the way OpenSSL implemented CCS – and quickly
noticed that OpenSSL does it wrong. OpenSSL doesn’t merely accept CCS
requests at the specified times and carefully controlled ways, but also
at pretty much any time and any manner – with the consquence that
attackers can exploit this nonstandard behaviour so that they can
decrypt and/or modify data in the communication channel.

Which OpenSSL versions, you ask? As I mentioned above, all of them.
Every single release of OpenSSL over the past 16 years has had
exploitably buggy CCS.

Reemmber how many sites were quietly relieved that the Heartbleed bug didn’t affect SSH, only SSL-wrapped HTTP? No such luck, this time. I see offhand no reason why this bug cannot also be used to attack
OpenSSH. (I could be wrong.)

Both server-side and client-side uses of OpenSSL are threatened by this bug.

The major distros have rushed out new packages already. You know what
to do!

svlug mailing list

Heartbleed Bug – Status, What, & Who

Where Do Web Sites Stand, Post-Heartbleed

How Heartbleed Bug Works

How Heartbleed Bug Works

2014 April, 21

  • A scan of the top 1 million Web sites found that none of the top 1,000 sites were vulnerable to the Heartbleed OpenSSL bug, and only 0.53 percent of the top 10,000, 1.5 percent of the top 100,0000 and 2 percent of the top 1 million were vulnerable, according to the security firm Sucuri Security.


Items Below

  • Rick Moen’s FAQ
  • How the Heartbleed bug scurried into the hearts and minds of millions – April 17
  • There Will Be More Blood – April 14
  • THE FIX by ‘Neel Mehta of Google Security” – April 9
  • MAJOR SECURITY ISSUE WITH SSL: Does the Heartbleed Bug Mean You Should Stay Off the Internet? – April 9


Rick Moen’s FAQHeart_Bleed_Patch_3_by_Merlin2525

There are several other very worthwhile places posting commentary.
If no other, read Bruce Schneier’s blog.

Otherwise, you can read the FAQ in the mailing list archive below.

Here’s how the Heartbleed bug scurried into the hearts and minds of millions
2014 April, 17
There Will Be More Blood
2014 Apr, 14
THE FIX by ‘Neel Mehta of Google Security
2014 April, 9
MAJOR SECURITY ISSUE WITH SSL: Does the Heartbleed Bug Mean You Should Stay Off the Internet? | Mother Jones
2014 April, 9